FDA Plans to Address Risks of Digital Health Products

The Food and Drug Administration plans to launch a new initiative to help address risks - including safety and security - of digital health products, including those that potentially fall outside the FDA's current regulatory scope.

As part of the FDA's comprehensive approach to the regulation of digital health tools, the agency will pilot in the fall "an entirely new approach" toward regulating this technology, says FDA commissioner Scott Gottlieb, M.D.

"This is an interesting and positive development, but the outcome is still very much up in the air," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "This has the potential to fill some gaps, but also may create simply an additional level of regulations, even if these regulations are more streamlined."

New Technologies

In a June 15 blog, FDA Commissioner Scott Gottlieb, M.D., says that by taking "an efficient, risk-based approach to regulation," the FDA can promote health through the creation of new and beneficial medical technologies.

The FDA's Digital Health Innovation Plan is a broad effort focused on "fostering innovation at the intersection of medicine" and digital health technology, Gottlieb writes. "This plan will include a novel, post-market approach to how we intend to regulate these digital medical devices," he says.

Gottlieb notes that in 2016, an estimated 165,000 health-related apps were available for Apple or Android smartphones. "From mobile apps and fitness trackers to clinical decision support software, innovative digital technologies have the power to transform health care in important ways," he writes. "Ambiguity regarding how FDA will approach a new technology can lead innovators to invest their time and resources in other ventures."

To encourage innovation, the FDA should carry out its mission to protect and promote the public health through policies that are clear enough for developers to apply them on their own, without having to seek out, on a case-by-case basis, FDA's position on every individual technological change or iterative software development, he writes.

Certain digital health technologies - such as clinical administrative support software and mobile apps "intended only for maintaining or encouraging a healthy lifestyle" generally fall outside the scope of FDA regulation, Gottlieb notes.

Such technologies tend to pose low-risk to patients but can provide great value to the healthcare system, he says. The FDA is working to implement the digital health provisions of the 21st Century Cures Act and, in the coming months, will publish guidance to further clarify what falls outside the scope of FDA regulation and explain how the new statutory provisions affect pre-existing FDA policies, he adds.

The FDA will provide guidance to clarify its position on products that contain multiple software functions - where some fall outside the scope of FDA regulation, but others do not, he points out.

In addition, the agency will provide new guidance on other technologies that, although not addressed in the 21st Century Cures Act, present low enough risks that the FDA does not intend to subject them to certain pre-market regulatory requirements.

"Greater certainty regarding what types of digital health technology is subject to regulation and regarding FDA's compliance policies will not only help foster innovation, but also will help the agency to devote more resources to higher risk priorities."

Risk-Based Framework

The FDA's pilot program this fall for a new approach toward regulating digital health tools "will be the cornerstone to a more efficient, risk-based regulatory framework for overseeing these medical technologies," Gottlieb says.

While the pilot program is still being developed, the FDA is considering whether and how, under current authorities, it can create a third-party certification program under which lower-risk digital health products could be marketed without FDA pre-market review and higher-risk products could be marketed with a streamlined review.

"Certification could be used to assess, for example, whether a company consistently and reliably engages in high quality software design and testing (validation) and ongoing maintenance of its software products. Employing a unique pre-certification program for software as a medical device could reduce the time and cost of market entry for digital health technologies."

In addition, post-market collection of real-world data might be able to be used to support new and evolving product functions, Gottlieb notes.

"For example, product developers could leverage real-world data gathered through the National Evaluation System for Health Technology to expedite market entry and subsequent expansion of indications more efficiently. NEST will be a federated virtual system for evidence generation comprising of strategic alliances among data sources, including registries, electronic health records, payer claims and other sources."

The Medical Device Innovation Consortium, a non-profit public-private partnership, is serving as an independent coordinating center that operates NEST, he says.

The consortium soon will announce the creation of a governing committee for the NEST Coordinating Center comprising patients, healthcare professionals, healthcare organizations, payers, industry and government.

Although the FDA does not operate NEST, the agency has been establishing "strategic alliances among data sources" to accelerate NEST's launch, with the initial version of a fully operational system - in which product developers could leverage "real-world" data gathered by NEST in support of new and evolving product functions - anticipated by the end of 2019, Gottlieb says.

Security Risks

So, where will security risks fit in with the pilot's new approach?

The FDA declined an Information Security Media Group request for an interview about the agency's digital health plans. But in a statement, the FDA says: "At this time, the pilot program is still under development and the FDA is still considering the program details. The agency is working with stakeholders to create a program that focuses on proactive management of patient safety risks and the development and maintenance of high quality software. The agency anticipates this streamlined program will address safety, efficacy, performance and security of software products."

Nahra, the attorney, says the jury is still out on how effective the FDA's digital health initiative will be in addressing regulatory gaps and related issues.

The FDA has authority to regulate certain devices and drugs, with a focus primarily on effectiveness and safety, Nahra notes.

"Much like the Common Rule and research, where the primary purpose was on informed consent but other issues have been added, the FDA is now being pushed - because of market changes - to look at both privacy and - more importantly - data security, along with these effectiveness issues," Nahra says.

The FDA is also "being pushed to appropriately balance traditional FDA review with the benefits of innovation," he adds. "So, this effort is designed to define certain apps and related kinds of technology that are not particularly risky from the FDA's perspective, where approval will be streamlined and innovation will be favored because of the lower risk, and other areas where there are more concerns.

"Any new efforts at providing clarity in this area will be helpful for the industry. Whether it goes too far - and does too much to support innovation without protecting individuals - is very much up in the air."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.